Ketryx Integration

* chore(gha): Spike for Ketryx integration
* chore(gha): Allow to skip jobs/steps via commit message, see CONTRIBUTING.md
* fix(platform): Fix broken pytest collection if user does not have permission to access aignx test bucket

Author: helmut-hoffer-von-ankershoffen

.github/workflows/_audit.yml

@@ -18,7 +18,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           enable-cache: true

.github/workflows/_ketryx_report_and_check.yml

@@ -0,0 +1,53 @@
+name: "Report build to Ketryx and check for approval"
+
+on:
+  workflow_call:
+    # No inputs needed at this time
+
+env:
+  # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15
+  PYTHONIOENCODING: "utf8"
+
+jobs:
+
+  ketryx_report_and_check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Download test results for ubuntu-latest generated in _test.yml
+        uses: actions/download-artifact@v4
+        with:
+          name: test-results-ubuntu-latest          
+
+      - name: Download audit results generated in _audit.yml
+        uses: actions/download-artifact@v4
+        with:
+          name: audit-results          
+
+      - name: Report build to Ketryx and check for approval
+        uses: Ketryx/ketryx-github-action@v1.4.0
+        with:
+          project: ${{ secrets.KETRYX_PROJECT }}
+          api-key: ${{ secrets.KETRYX_API_KEY }}
+          build-name: "ci-cd"
+          check-dependencies-status: true
+          test-junit-path: reports/junit_*.xml
+          cyclonedx-json-path: |
+            reports/sbom.json
+          artifact-path: |
+            reports/sbom.spdx
+            reports/licenses.csv
+            reports/licenses.json
+            reports/licenses_grouped.json
+            reports/vulnerabilities.json
+            reports/mypy_junit.xml
+            reports/coverage.xml
+            reports/coverage.md
+            aignostics.log

.github/workflows/_lint.yml

@@ -18,7 +18,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           enable-cache: true

.github/workflows/_package-publish.yml

@@ -44,7 +44,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           enable-cache: true
@@ -88,7 +88,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           cache-dependency-glob: uv.lock
@@ -153,11 +153,14 @@ jobs:
         shell: bash
         run: make dist
 
-
       - name: Publish distribution to Python Package Index at pypi.org
         shell: bash
         run: uv publish -t ${{ secrets.UV_PUBLISH_TOKEN }}
 
+      - name: Download test results for ubuntu-latest generated in _test.yml
+        uses: actions/download-artifact@v4
+        with:
+          name: test-results-ubuntu-latest          
 
       - name: Have audit checks publish to reports/ for auditing
         shell: bash

.github/workflows/_scheduled-audit.yml

@@ -17,7 +17,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           enable-cache: true

.github/workflows/_scheduled-test.yml

@@ -17,7 +17,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           enable-cache: true

.github/workflows/_test.yml

@@ -10,25 +10,27 @@ env:
 
 jobs:
 
+  generate-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Set matrix based on commit message
+        id: set-matrix
+        run: |
+          if [[ "${{ github.event.head_commit.message }}" == *"skip:test:matrix-runner"* ]]; then
+            echo 'matrix={"runner":["ubuntu-latest"],"experimental":[false]}' >> $GITHUB_OUTPUT
+          else
+            echo 'matrix={"runner":["ubuntu-latest"],"experimental":[false],"include":[{"runner":"ubuntu-24.04-arm","experimental":true},{"runner":"macos-latest","experimental":true},{"runner":"macos-13","experimental":true},{"runner":"windows-latest","experimental":true},{"runner":"windows-11-arm","experimental":true}]}' >> $GITHUB_OUTPUT
+          fi
+
   test:
+    needs: generate-matrix
     runs-on: ${{ matrix.runner }}
     continue-on-error: ${{ matrix.experimental }}
     strategy:
       fail-fast: false
-      matrix:
-        runner: [ubuntu-latest]
-        experimental: [false]
-        include:
-          - runner: ubuntu-24.04-arm
-            experimental: true
-          - runner: macos-latest
-            experimental: true
-          - runner: macos-13
-            experimental: true
-          - runner: windows-latest
-            experimental: true
-          - runner: windows-11-arm
-            experimental: true
+      matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }}
     permissions:
       attestations: write
       contents: read
@@ -41,7 +43,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
         with:
           version: "0.6.3"
           enable-cache: true
@@ -117,6 +119,7 @@ jobs:
           uv run --all-extras aignostics application run list --verbose --limit 1
 
       - name: Test / regular
+        if: (!contains(github.event.head_commit.message, 'skip:test:regular'))
         shell: bash
         run: |
           set +e
@@ -146,6 +149,7 @@ jobs:
           exit $EXIT_CODE
 
       - name: Test / long running
+        if: (!contains(github.event.head_commit.message, 'skip:test:long-running'))
         shell: bash
         run: |
           set +e
@@ -181,7 +185,7 @@ jobs:
           name: test-results-${{ matrix.runner }}
           path: |
             reports/mypy_junit.xml
-            reports/junit.xml
+            reports/junit_*.xml
             reports/coverage.xml
             reports/coverage.md
             reports/coverage_html

.github/workflows/ci-cd.yml

@@ -15,7 +15,7 @@ on:
 jobs:
 
   lint:
-    if: (!contains(github.event.head_commit.message, '[skip ci]'))
+    if: (!contains(github.event.head_commit.message, 'skip:ci'))
     uses: ./.github/workflows/_lint.yml
     permissions:
       contents: read
@@ -24,7 +24,7 @@ jobs:
     secrets: inherit
 
   audit:
-    if: (!contains(github.event.head_commit.message, '[skip ci]'))
+    if: (!contains(github.event.head_commit.message, 'skip:ci'))
     uses: ./.github/workflows/_audit.yml
     permissions:
       contents: read
@@ -33,7 +33,7 @@ jobs:
     secrets: inherit
 
   test:
-    if: (!contains(github.event.head_commit.message, '[skip ci]'))
+    if: (!contains(github.event.head_commit.message, 'skip:ci'))
     uses: ./.github/workflows/_test.yml
     permissions:
       attestations: write
@@ -44,7 +44,7 @@ jobs:
 
 
   codeql:
-    if: (!contains(github.event.head_commit.message, '[skip ci]'))
+    if: (!contains(github.event.head_commit.message, 'skip:ci'))
     uses: ./.github/workflows/_codeql.yml
     permissions:
       actions: read
@@ -54,12 +54,25 @@ jobs:
     secrets: inherit
 
 
-  package_publish:
+  ketryx_report_and_check:
 
     needs: [lint, audit, test, codeql] 
 
+    uses: ./.github/workflows/_ketryx_report_and_check.yml
+    if: (!contains(github.event.head_commit.message, 'skip:ci'))
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    secrets: inherit
+
+  package_publish:
+
+    needs: [ketryx_report_and_check] 
+
     uses: ./.github/workflows/_package-publish.yml
-    if: (startsWith(github.ref, 'refs/tags/v') && (!contains(github.event.head_commit.message, '[skip ci]')))
+    if: (startsWith(github.ref, 'refs/tags/v') && (!contains(github.event.head_commit.message, 'skip:ci')))
     permissions:
       attestations: write
       contents: write
@@ -69,9 +82,9 @@ jobs:
 
   docker_publish:
 
-    needs: [lint, audit, test, codeql]
+    needs: [ketryx_report_and_check]
 
-    if: (startsWith(github.ref, 'refs/tags/v') && (!contains(github.event.head_commit.message, '[skip ci]')))
+    if: (startsWith(github.ref, 'refs/tags/v') && (!contains(github.event.head_commit.message, 'skip:ci')))
     uses: ./.github/workflows/_docker-publish.yml
     permissions:
       attestations: write